Chapter 2 Understanding Identity and Access Management

Question 1

___________ occurs when users claim (or profess) their identity with identifiers such as usernames or email addresses.

Answer 1

Identification

Question 2

Users then prove their identity with _________, such as with a password.

Answer 2

Authentication

Question 3

True or False : You can’t have any type of access control if you can’t identify a user.

Answer 3

True

Question 4

True or False : Authentication, authorization, and accounting (AAA) work together with identification to provide a comprehensive access management system.

Answer 4

True

Question 5

Users are granted __________ to access resources based on their proven identity.

Answer 5

Authorization

Question 6

___________ methods track user activity and record the activity in logs.

Answer 6

Accounting

Question 7

An _____ ____ allows security professionals to re-create the events that preceded a security incident.

Answer 7

Audit trail

Question 8

True or False : A use case of supporting authentication may require administrators to implement one factor of authentication for basic authentication, two factors for more secure authentication, or more factors for higher security.

Answer 8

True

Question 9

List factors for authentication

Answer 9

1. Something you know - PIN, password
2. Something you have - CAC, Smart card
3. Something you are - Biometric - fingerprint, retina, face
4. Something you are such as you location
5. Something you do - pattern swipe, gestures

Question 10

The ________ __ _____ authentication factor typically refers to a shared secret, such as a password or even a PIN.

Answer 10

Something you know

Question 11

What is the least secure form of authentication?

Answer 11

Something you know

Question 12

True or False :

A strong password is of sufficient length, doesn’t include words found in a dictionary or any part of a user’s name, and combines at least three of the four following character types:
• Uppercase characters (26 letters A–Z)
• Lowercase characters (26 letters a–z)
• Numbers (10 numbers 0–9)
• Special characters (32 printable characters, such as !, $, and *)

Answer 12

True

Question 13

What does MS recommend for minimum password length as of 2016?

Answer 13

14 characters

Question 14

True or False : The combination of different characters in a password makes up the key space, and you can calculate the key space with the following formula: C^N (CN). C is the number of possible characters used, and N is the length of the password

Answer 14

True

Question 15

True or False : An attacker can crack a 10-character password using only lowercase characters (141 trillion possibilities)in less than two hours.

Answer 15

True

Question 16

Why do security experts say that too complex passwords are less secure?

Answer 16

Because it is more difficult to remember and users will likely write it down or store in an insecure file.

Question 17

True or False : Complex passwords use a mix of character types. Strong passwords use a mix of character types and have a minimum password length of at least 14 characters

Answer 17

True

Question 18

True or False : It’s not important for an organization to provide adequate training to users on password security.

(Page 172).

Answer 18

False

It is important

Question 19

True or False : Users should change their passwords regularly, such as every 45 or 90 days.

Answer 19

True

Question 20

True or False : Before resetting passwords for users, it’s important to verify the user’s identity. When resetting passwords manually, it’s best to create a temporary password that expires upon first use.

Answer 20

True

Question 21

A _______ _______ system remembers past passwords and prevents users from reusing passwords

Answer 21

Password history

Question 22

True or False : It’s common for password policy settings to remember the last 24 passwords and prevent users from reusing these until they’ve used 24 new passwords

Answer 22

True

Question 23

_____ ______ allows an administrator to configure a setting once in a ______ ______ ______ and apply this setting to many users and computers within the domain.

Answer 23

Group Policy, Group Policy Object (GPO)

Question 24

True or False : Group Policy is implemented on a domain controller within a domain. Administrators use it to create password policies, implement security settings, configure host-based firewalls, and much more

Answer 24

True

Question 25

A common group of settings that administrators configure in Group Policy is the _______ Policy settings

Answer 25

Password

Question 26

List some of the elements of password policies

Answer 26

1. Minimum password age - to prevent users from reusing a previous password
2. Maximum password age - to trigger expiration
3. Minimum password length - to promote complexity
4. Password complexity requirements - to promote complexity

Question 27

True or False : Accounts will typically have lockout policies preventing users from guessing the password

Answer 27

True

Question 28

List two key phrases associated with lockout policies

Answer 28

1. Account lockout threshold - number of attempts before locking account
2. Account lockout duration - length of time before account is unlocked

Question 29

A basic security practice is to change _______ settings before putting a system into use.

Answer 29

Default

Question 30

True or False : Some administrators create a dummy account named administrator which has no permissions.

Answer 30

True

If an attempt is made with this account the system will lock the account out and alert administrators

Question 31

The _______ ___ _____ authentication factor refers to something you can physically hold.

Answer 31

Something you have

Question 32

_____ ______ are credit card-sized cards that have an embedded microchip and a certificate. Users insert them into a reader, similar to how someone would insert a credit card into a credit card reader.

Answer 32

Smart cards

Question 33

List the requirements for a smart card

Answer 33

1. Embedded certificate - cert holds a user’s private key and matched with a public key (available to others for use). Private key is used each time the user logs on
2. Public Key Infrastructure (PKI) - supports issuing and managing certs

Question 34

A _____ ______ _____ is a specialized type of smart card used by the U.S. Department of Defense.

Answer 34

Common Access Card (CAC)

Question 35

True or False : A CAC card includes a photo of the user and can be used as a form of identification

Answer 35

True

Question 36

A _______ _____ ________ card is a specialized type of smart card used by U.S. federal agencies. It also includes photo identification and provides confidentiality, integrity, authentication, and non-repudiation for the users, just as a CAC does

Answer 36

Personal Identity Verification (PIV)

Question 37

True or False : Smart cards are often used with dual-factor authentication where users have something (the smart card) and know something (such as a password or PIN). Smart cards include embedded certificates used with digital signatures and encryption. CACs and PIVs are specialized smart cards that include photo identification. They are used to gain access into secure locations and to log on to computer systems.

Answer 37

True

Question 38

A ______ or ___ __ is an electronic device about the size of a remote key for a car

Answer 38

token or key fob (sometimes simply called a fob)

Question 39

True or False : A token includes a liquid crystal display (LCD) that displays a number, and this number changes periodically, such as every 60 seconds.

Answer 39

True

Question 40

The _____ is synced with a server that knows what the number is at any moment.

Answer 40

Token

Question 41

_______ ______ ___ ____ ______ is an open standard used for creating one-time passwords, similar to those used in tokens or key fobs.

Answer 41

HMAC-based One-Time Password (HOTP)

Question 42

True or False : A password created with HOTP remains valid until it’s used.

Answer 42

True

Question 43

A ____ _____ ___ ____ _______ is similar to HOTP, but it uses a timestamp instead of a counter.

Answer 43

Time-based One-Time Password (TOTP)

Question 44

True or False : One significant benefit of HOTP and TOTP is price. Hardware tokens that use these open source standards are significantly less expensive than tokens that use proprietary algorithms

Answer 44

True

Question 45

TOTP expires after __ seconds

Answer 45

30

Question 46

The ________ ___ ___ authentication factor uses biometrics for authentication

Answer 46

Something you are

Question 47

True or False : Biometric methods are the strongest form of authentication because they are the most difficult for an attacker to falsify.

Answer 47

True

Question 48

________ use a physical characteristic, such as a fingerprint, for authentication

Answer 48

Biometrics

Question 49

List some types of biometrics

Answer 49

1. Fingerprint scanner
2. Retina scanner
3. Iris scanner
4. Voice recognition
5. Facial recognition

Question 50

True or False : A drawback with facial recognition is that it is sometimes negatively affected by changes in lighting.

Answer 50

True

Question 51

List two biometric false readings

Answer 51

1. False acceptance

2. False rejection

Question 52

The _____ ______ ____ identifies the percentage of times false acceptance occurs

Answer 52

False acceptance rate

Question 53

The _____ _________ ____ identifies the percentage of times false rejections occur

Answer 53

False rejection rate

Question 54

True or False : True acceptance is when the biometric system accurately determines a positive match

Answer 54

True

Question 55

True or False : True rejection occurs when the biometric system accurately determines a non-match

Answer 55

True

Question 56

By increasing the sensitivity for a biometric, it ________ the number of false matches and ________ the number of false rejections

Answer 56

Decreases, increases

Question 57

Decreasing the sensitivity for a biometric ______ the false matches and ________ the false rejections.

Answer 57

Increases,decreases

Question 58

True or False : By plotting the FAR and FRR rates using different sensitivities, you can determine the effectiveness of a biometric system

Answer 58

True

Question 59

The ________ ____ ____ is the point where the FAR crosses over with the FRR

Answer 59

Crossover error rate (CER)

Question 60

True or False : A lower CER indicates that the biometric system is more accurate

Answer 60

True

Question 61

The _______ ___ ___ authentication factor identifies a user’s location

Answer 61

Somewhere you are

Question 62

True or False : Many authentication systems use the Internet Protocol (IP) address for geolocation

Answer 62

True

Question 63

True or False : Within an organization, it’s possible to use the computer name or the media access control (MAC) address of a system for the somewhere you are factor

Answer 63

True

Question 64

The ________ ___ __ authentication factor refers to actions you can take such as gestures on a touch screen

Answer 64

Something you do

Question 65

True or False : Some examples of something you do are gestures, keystroke dynamics

Answer 65

True

Question 66

____ _____ ____________ uses two different factors of authentication, such as something you have and something you know

Answer 66

Dual-factor authentication (sometimes called two-factor authentication)

Question 67

__________ ____________ uses two or more factors of authentication

Answer 67

Multifactor authentication

Question 68

True or False : Using two methods of authentication in the same factor is dual- factor authentication.

Answer 68

False

They must be two different factors

Question 69

True or False : Using two or more methods in the same factor of authentication (such as a PIN and a password) is single-factor authentication. Dual-factor (or two-factor) authentication uses two different factors, such as using a hardware token and a PIN. Multifactor authentication uses two or more factors

Answer 69

True

Question 70

______ is a network authentication mechanism used within Windows Active Directory domains and some Unix environments known as realms

Answer 70

Kerberos

Question 71

True or False:

The requirements for kerberos are:

1. Method of issuing tickets used for authentication
2. Time synchronization - v5 all systems synced within five minutes of each other
3. A database of subjects or users i.e. MS AD

Answer 71

True

Question 72

The __ _______ _____ uses a complex process of issuing ticket granting tickets (TGTs) and other tickets.

Answer 72

Key Distribution Center (KDC)

Question 73

Kerberos uses _________ ___ cryptography to prevent unauthorized disclosure and to ensure confidentiality.

Answer 73

Symmetric-key

Question 74

___ ______ ___ ______ is a suite of protocols that provide authentication, integrity, and confidentiality within Windows systems

Answer 74

New Technology LAN Manager (NTLM)

Question 75

True or False : Developers should use the Negotiate security package within their applications since it selects the most secure security protocols available between the systems

Answer 75

True

Question 76

_________ ______ ______ _______ specifies formats and methods to query directories.

Answer 76

Lightweight Directory Access Protocol (LDAP)

Question 77

True or False : Windows domains use Active Directory, which is based on LDAP. Active Directory is a directory of objects (such as users, computers, and groups), and it provides a single location for object management.

Answer 77

True

Question 78

True or False : LDAP Secure (LDAPS) uses encryption to protect LDAP transmissions.

Answer 78

True

Question 79

True or False : LDAP is based on an earlier version of X.500. Windows Active Directory domains and Unix realms use LDAP to identify objects in query strings with codes such as CN=Users and DC=GetCertifiedGetAhead. LDAPS encryptstransmissions with TLS

Answer 79

True

Question 80

______ ___ __ refers to the ability of a user to log on or access multiple systems by providing credentials only once

Answer 80

Single sign-on (SSO)

Question 81

True or False : SSO increases security because the user only needs to remember one set of credentials and is less likely to write them down. It’s also much more convenient for users to access network resources if they only have to log on one time.

Answer 81

True

Question 82

True or False : The SSO system typically creates some type of SSO secure token used during the entire logon session. Each time the user accesses a network resource, the SSO system uses this secure token for authentication. Kerberos and LDAP both include SSO capabilities.

Answer 82

True

Question 83

SSO requires strong ___________ to be effective.

Answer 83

Authentication

Question 84

A _______ trust creates an indirect trust relationship.

Answer 84

Transitive

A –> B –> C : A –> C

Question 85

True or False : There is a two-way trust between parent domain and child domain. Child domains also have a two way transitive trust with each other thru their relationship with the parent domain

Answer 85

True

Question 86

True or False : Without a trust relationship, separate accounts need to be created per domain

Answer 86

True

Question 87

________ ______ _______ _______ is an Extensible Markup Language (XML)– based data format used for SSO on web browsers.

Answer 87

Security Assertion Markup Language (SAML)

Question 88

List three SAML defined roles

Answer 88

1. Principal - typically a user
2. Identity provider - creates, maintains, and manages identity information
3. Service provider - an entity that provides services to principals

Question 89

True or False : The primary purpose of SSO is for identification and authentication of users.

Answer 89

True

Question 90

True or False : SSO provides authorization

Answer 90

False

Question 91

True or False : Many federation SSO systems, including SAML, include the ability to transfer authorization data between their systems

Answer 91

True

Question 92

True or False : It’s possible to use SAML for single sign-on (SSO) authentication and authorization

Answer 92

True

Question 93

True or False : SSO systems can connect authentication mechanisms from different environments i.e. different operating systems

Answer 93

True

Question 94

A _________ requires a federated identity management system that all members of the federation use

Answer 94

Federation

Question 95

True or False : Members of the federation agree on a standard for federated identities and then exchange the information based on the standard. A federated identity links a user’s credentials from different networks or operating systems, but the federation treats it as one identity.

Answer 95

True

Question 96

_____ is an open standard for authorization many companies use to provide secure access to protected resources.

Answer 96

OAuth

Question 97

True or False : With OAuth, you can often use the same account that you’ve created with Google, Facebook, PayPal, Microsoft, or Twitter

Answer 97

True

Question 98

______ Connect works with OAuth 2.0 and it allows clients to verify the identity of end users without managing their credentials.

Answer 98

OpenID

Question 99

_______ _________ is concerned with the creation, management, disablement, and termination of accounts.

Answer 99

Account management

Question 100

_____ _________ specifies that individuals and processes are granted only the rights and permissions needed to perform assigned tasks or functions, but no more.

Answer 100

Least privilege

Question 101

A primary goal of implementing least privilege is to ______ risks

Answer 101

Reduce

Question 102

Least privilege is a _______ control.

Answer 102

Technical

Question 103

True or False : The principle of need to know is that users are granted access only to the data and information that they need to know for their job.

Answer 103

True

Question 104

What is the difference between least privilege and need to know?

Answer 104

The difference is that least privilege focuses on access (rights and permissions) and need to know focuses on data and information

Question 105

List some common types of accounts

Answer 105

1. End user accounts
2. Privileged accounts
3. Guest accounts
4. Service accounts

Question 106

A _________ account has additional rights and privileges beyond what a regular user has

Answer 106

Privileged

Question 107

True or False : Administrators commonly disable the Guest account and only enable it in special situations.

Answer 107

True

Question 108

Some applications and services need to run under the context of an account and a _______ account fills this need.

Answer 108

Service

Question 109

True or False : Service accounts are like regular end user accounts except it’s only being used by a service or application.

Answer 109

True

Question 110

True or False : One of the challenges with service accounts is that they often aren’t managed.

Answer 110

True

Question 111

True or False : It’s common to require administrators to have two accounts. They use one account for regular day-to-day work. It has the same limited privileges as a regular end user. The other account has elevated privileges required to perform administrative work, and they use this only when performing administrative work

Answer 111

True

Question 112

True or False : Users should not use shared accounts

Answer 112

True

Question 113

Many organizations have a _________ policy that specifies how to manage accounts in different situations.

Answer 113

Disablement

Question 114

True or False : Disabling accounts is preferred over deleting the account, at least initially. If administrators delete the account, they also delete any encryption and security keys associated with the account. However, these keys are retained when the account is disabled.

Answer 114

True

Question 115

True or False : Some contents of an account disablement policy:

1. Terminated employee
2. Leave of absence
3. Delete account

Answer 115

True

Question 116

True or False :
An account disablement policy identifies what to do with accounts for employees who leave permanently or on a leave of absence. Most policies require administrators to disable the account as soon as possible, so that ex-employees cannot use the account. Disabling the account ensures that data associated with it remains available. Security keys associated with an account remain available when the account is disabled, but are no longer accessible if the account is deleted.

Answer 116

True

Question 117

True or False : Two primary account recovery scenarios are:

1. Enable a disabled account
2. Recover a deleted account

Answer 117

True

Question 118

____ __ ___ restrictions specify when users can log on to a computer. If a user tries to log on to the network outside the restricted time, the system denies access to the user

Answer 118

Time-of-day

Question 119

True or False with time of day restrictions once the end of day threshold has been reached it automatically logs out active sessions

Answer 119

False

It leaves active sessions but does not allow new sessions

Question 120

_______ _____ policies restrict access based on the location of the user

Answer 120

Location-based

Question 121

True or False : With location based policies you can either blacklist or whitelist IP addresses or filter MAC addresses

Answer 121

True

Question 122

True or False : It’s possible to set user accounts to expire automatically. When the account expires, the system disables it, and the user is no longer able to log on using the account

Answer 122

True

Question 123

Administrators routinely perform account maintenance. This is often done with _____ to automate the processes

Answer 123

Scripts

Question 124

A __________ is a collection of information that provides an identity (such as a username) and proves that identity (such as with a password).

Answer 124

Credential

Question 125

List some examples of credential management systems

Answer 125

1. Windows 10 Credential Manager
2. Google Chrome

These store credentials in secure vaults for future use

Question 126

______ control ensures that only authenticated and authorized entities can access resources.

Answer 126

Access

Question 127

______ _____ access control (role-BAC) uses roles to manage rights and permissions for users.

Answer 127

Role-based

Question 128

True or False : With role-BAC, an administrator creates the roles and then assigns specific rights and permissions to the roles (instead of to the users). When an administrator adds a user to a role, the user has all the rights and permissions of that role.

Answer 128

True

Question 129

True or False : It’s common to document role-based permissions with a matrix listing all of the job titles and the privileges for each role.

Answer 129

True

Question 130

Role-BAC is also called _________-based or job-based:

Answer 130

Hierarchy

Question 131

True or False : Administrators commonly grant access in the role-BAC model using roles, and they often implement roles as groups known as group-based access control

Answer 131

True

Question 132

True or False : In Windows, The Administrators group is an example of a built-in security group.

Answer 132

True

Question 133

True or False : Without groups, you would use user-assigned privileges. In other words, you would assign all the specific rights and permissions for every user individually. This might work for one or two users, but quickly becomes unmanageable with more users.

Answer 133

True

Question 134

True or False : Group-based privileges reduce the administrative workload of access management. Administrators put user accounts into security groups, and assign privileges to the groups. Users within a group automatically inherit the privileges assigned to the group.

Answer 134

True

Question 135

____-based access control (____-BAC) uses ____.

Answer 135

Rule(s)

Question 136

Routers and firewalls use _____ within access control lists (ACLs). These _____ define the traffic that the devices allow into the network, such as allowing Hypertext Transfer Protocol (HTTP) traffic for web browsers. These _____ are typically static. In other words, administrators create the ______ and the ______ stay the same unless an administrator changes them again.

Answer 136

Rules

Question 137

True or False : Some rules can be dynamic.

Answer 137

True

For example, intrusion prevention systems can detect attacks, and then modify rules to block traffic from an attacker.

Question 138

True or False : it’s possible to configure user applications with rules i.e. database rule to trigger a change to permissions

Answer 138

True

Question 139

In the _________ access control (DAC) model, every object (such as files and folders) has an owner, and the owner establishes access for the objects.

Answer 139

Discretionary

Question 140

True or False : A common example of the DAC model is the New Technology File System (NTFS) used in Windows.

Answer 140

True

Question 141

True or False : Microsoft systems identify users with security identifiers (SIDs)

Answer 141

True

Question 142

True or False : Every object (such as a file or folder) includes a discretionary access control list (DACL) that identifies who can access it in a system using the DAC model. The DACL is a list of Access Control Entries (ACEs). Each ACE is composed of a SID and the permission(s) granted to the SID.

Answer 142

True

Question 143

True or False : An inherent flaw associated with the DAC model is the susceptibility to Trojan horses.

Answer 143

True

Question 144

The _________ access control (MAC) model uses labels (sometimes referred to as sensitivity labels or security labels) to determine access.

Answer 144

Mandatory

Question 145

True or False : With MAC security administrators assign labels to both subjects (users) and objects (files or folders). When the labels match, the system can grant a subject access to an object. When the labels don’t match, the access model blocks access.

Answer 145

True

Question 146

True or False : Security-enhanced Linux (SELinux)is one of the few operating systems using the mandatory access control model.

Answer 146

True

Question 147

The MAC model uses different levels of security to classify both the users and the data. These levels are defined in a _____.

Answer 147

Lattice

Question 148

True or False : The MAC model uses sensitivity labels for users and data. It is commonly used when access needs to be restricted based on a need to know. Sensitivity labels often reflect classification levels of data and clearances granted to individuals

Answer 148

True

Question 149

True or False : An administrator is responsible for establishing access, but only someone at a higher authority can define the access for subjects and objects.

Answer 149

True

Question 150

An ________-based access control (ABAC) evaluates ________ and grants access based on the value of these _________.

Answer 150

Attribute(s)

NIST 800-162

Question 151

True or False : ABAC uses policies to evaluate attributes and grant access when the system detects a match in the policy.

Answer 151

True

Question 152

True or False : Many software defined networks (SDNs) use ABAC models. Instead of rules on physical routers, policies in the ABAC system control the traffic. These policies typically use plain language statements.

Answer 152

True

Question 153

True or False : ABAC policies typically include the following four elements:

1. Subject - user
2. Object - resource being accessed
3. Action - what the user is attempting to do
4. Environment - includes everything outside of the subject and object attributes. This is often referred to as the context of the access request.

Answer 153

True